Intel & ME, and why we should get rid of ME

If you did not know, built into all modern Intel-based platforms is a
small, low-power computer subsystem called the Intel Management Engine
(ME). It performs various tasks while the system is in sleep mode,
during the boot process, and also when your system is running.

Architecturally, the ME varies from model to model, and over the past
decade it has been growing in complexity. In general, it consists of
of one or more processor cores, memory, system clock, internal bus,
and reserved protected memory used as part of its own cryptography
engine. It has its own operating system and suite of programs, and it
has access to the main system's memory, as well as access to the
network through the Intel Gigabit Ethernet Controller. If you had
control over the ME, then it would be a powerful subsystem that could
be used for security and administration of your device.

The ME firmware runs various proprietary programs created by Intel for
the platform, including its infamous Active Management Technology
(AMT), Intel's Boot Guard, and an audio and video Digital Restrictions
Management system specifically for ultra-high definition media called
"Intel Insider." While some of this technology is marketed to provide
you with convenience and protection, what it requires from you, the
user, is to give up control over your computer. This control benefits
Intel, their business partners, and large media companies. Intel is
effectively leasing-out to the third-parties the rights to control
how, if, and when you can access certain data and software on your
machine.

Leah Rowe of GNU Libreboot states that the "Intel Management Engine
with its proprietary firmware has complete access to and control over
the PC: it can power on or shut down the PC, read all open files,
examine all running applications, track all keys pressed and mouse
movements, and even capture or display images on the screen. And it
has a network interface that is demonstrably insecure, which can allow
an attacker on the network to inject rootkits that completely
compromise the PC and can report to the attacker all activities
performed on the PC. It is a threat to freedom, security, and privacy
that can't be ignored."

At this time, developing free replacement firmware for the ME is
basically impossible. The only entity capable of replacing the ME
firmware is Intel and its OEM partners. And, since the ME is a control
hub for your machine, you can no longer simply disable the ME like you
could on earlier models, such as the Libreboot X200 laptop.